Re: X only needs CAP_SYS_RAWIO to start -- can be disabled after up

From: James Sutherland (jas88@cam.ac.uk)
Date: Mon Jul 24 2000 - 05:11:39 EST


On 24 Jul 2000, Mark Gray wrote:

> James Sutherland <jas88@cam.ac.uk> writes:
> > On 24 Jul 2000, Mark Gray wrote:
> >
> >>
> >> I just wanted to point out something a lot of people may be missing,
> >> and that is that once X is up and running, it is quite alright to
> >> disable CAP_SYS_RAWIO
> [snip]
> >> Fatal server error:
> >> xf86EnableIOPorts: Failed to set IOPL for I/O
>
> > In other words, when it starts, it completely disables all OS protection
> > for itself. Of course it no longer needs any capabilities - capabilities
> > can no longer be enforced for it!
>
> It drops root privileges once it is up and running.

It no longer needs root privilege for anything, since it has bypassed
Linux's controls almost completely. It's running at iopl3, which gives it
pretty much complete access to everything. Whether it is root or not no
longer matters.

> [snip]
> >> Capabilities are a splendid feature which needs to be more widely used
> >> on Linux servers in my opinion. It has the potential to be a very
> >> popular feature if properly applied.
>
> > And X doesn't. It uses one capability to disable subsequent capability
> > enforcement completely.
>
> You have the source to X -- they are not up to anything devious or

I never said they were up to something devious. It isn't X we have the
source to, BTW, it's XFree86. That's like saying "you have the source to
unix" when discussing the Linux kernel...

> would have been found out by now IMO, and iopl() does not give it the
> ability to regain CAP_SYS_RAWIO.

It could if it wanted. For that matter, it could almost certainly delete
the kernel image and all the other processes from memory, then load DOS
instead.

> It is too large to verify line by line on one's own I grant, and the
> binary only modules for XFree86-4.* are an abominable plot against
> Free software, but I have 3.3.6 and plan to do my own X hacking from
> now on if that is the way it is going to be.
>
> >> (Just a little fact that people following the security discussion from
> >> afar may have missed because it is not being mentioned.)
>
> > iopl() is a horrible abomination - as is X, for that matter :-(
>
> "You can not please everybody, so you got to please yourself"
>
> You can disable iopl() once you no longer need it though is the point.

OK, you can prevent OTHER software using it, once XFree86 is loaded. So
what? XFree86 has already switched off all the security in its little
area, so it can do what it wants when it wants.

> (I love X -- I have 5 X servers scattered about the house all logged
> into my main server, with networked sound, a single Emacs displaying
> on all computers -- it is a hackers paradise which no other GUI has
> ever approached to my knowledge.)

X isn't a GUI...

James.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Mon Jul 31 2000 - 21:00:16 EST